I understand that the Internet is a big bad mean scary place where public-facing IP addresses constantly get bombarded with bot-attacks. But I have my router configured to forward connections on port 9000 to my server's port 22, so I am not entirely sure how there are still bot-attacks. It seemed unlikely to me that they would be port scanning all 65,535 possible ports.

I'll write a list of questions:

Did I just choose a port that's too easy to guess? What would be a better port number?

What do the port numbers in these sshd logs even mean? How can they have access to port 44493 if my router is only configured to forward port 9000 to port 22? It seems obvious to me that the port number listed is not the same thing as the outward-facing computer port, because I only access through port 9000, yet the port number listed for my own external logins is not 9000.

One of these questions (concerning port numbers) has been answered here. I found the answer after I posted the question.
– malanFeb 11 at 16:36

1

By using a non-standard port, you additionally attract probes that are not necessarily meant for an SSH server, so all sorts of funky HTTP-type requests are obviously coming in.
– Kusalananda♦Feb 11 at 16:43

1

and I wouldn't put it past people to scan all 65,535 ports and look for things that answer, and then to match those answering strings with typical protocols.
– Jeff Schaller♦Feb 11 at 16:44

1

note also the very regular timing between the logs in the first example: 348 seconds, 348 seconds, 343 seconds. A human wouldn't wait so long, nor be so regular.
– Jeff Schaller♦Feb 11 at 17:07

1

@Jeff well spotted; and that corresponds to a scan rate of 200 attempts per second, if the source is attempting connections on all ports (assuming 9000 is the only open port and is therefore the only port which adds significant delay to the scan).
– Stephen KittFeb 11 at 17:22

3 Answers
3

There is no good port to use, only good SSH configurations. If you disable password-based logins and only allow key-based authentication, you won’t risk much from such brute-forcing attempts. You could add port-knocking, but that’s security by obscurity.

The port numbers listed on the right of the logs are the source ports; these are dynamically allocated and are on the source system, not the target system.

[preauth] means that the logged event happened before the connection was authenticated — i.e. in this case that the connection is closed before being authenticated.

All the logs from your second set of logs correspond to non-SSH traffic sent to your dæmon. You’ll see this happen quite a lot, especially since you’re listening on a non-standard port — various scanners will send requests without knowing what is listening on the other end.

Scanning large portions of the Internet, on a variety of ports, doesn’t take very long if you have well-connected systems to scan from, or a large number of compromised hosts in a botnet. See massscan for an example of a mass-scanning tool. There are also lists of known-open IP addresses and ports which are circulated; so all it takes is for one scan to find your open port 9000.

I have been learning how to use ssh keys very recently. I only learned how to use gpg keys a month or two ago in the process of trying to set up pass. Thank you for the suggestion. (I ordered a yubikey this weekend, so I'll have another reason to play around with these sorts of things now).
– malanFeb 11 at 17:17

As far as point 1 goes, it can be useful to layer obscurity over other forms of security in the same way that it can be useful to camouflage a tank.
– Gerald CombsFeb 11 at 21:36

@Gerald granted, as long (IMO) as it doesn’t lull people into a false sense of security — as has happened with tanks ;-). Something like fwknop can be useful. I tend to favour other approaches which don’t involve too much setup on the client...
– Stephen KittFeb 11 at 21:50

Short of a comprehensive guide to sshd logs, but addressing your points:

Did I just choose a port that's too easy to guess? What would be a better port number?

There's "only" 65,535 ports, and scanners are good at finding them, so once you've moved beyond port 22 to avoid the simplest scans, there's not a whole lot of benefit to picking one arbitrary port over another.

What do the port numbers in these sshd logs even mean? How can they have access to port (43944) if my router is only configured to forward port 9000 to port 22? I

The port numbers after the IP's, such as 209.17.97.34 port 43944 indicate the source-side's port that was likely arbitrarily chosen by the kernel on that side. It means next to nothing to you.